Cyber and Physical Security: Lessons Learned From the Electric Industry
Joel deJesus Dinsmore & Shohl LLP Washington, DC [email protected] For the Energy and Mineral Law Foundation, Kentucky Mineral Law Conference, October, 2016
2
3
The electric grid “faces physical or online attacks approximately ‘once every four days’”
CIP Reliability Standards - Cybersecurity • CIP-002 –Asset Identification/Categorization
• CIP-003 – Security Management Controls
• CIP-004 – Personnel & Training
• CIP-005 – Electronic Security Perimeters
• CIP-006 – Physical Security
• CIP-007 – Systems Security Management
• CIP-008 – Incident Reporting and Response
• CIP-009 – Recovery Plans
• CIP-010 – Configuration Change Management
• CIP-011 - Information Protection
4
CIP Standards Evolution – 7 Versions in 10 years?
5
• 2003 – Urgent Action 1200 – Voluntary pre-ERO cybersecurity standards
• 2008 – Version 1 – First set of mandatory CIP standards approved (Order No. 706)
• 2009 – Version 2 – Eliminated “reasonable business judgment” and “acceptance of risk” criteria; added rigor in critical cyber asset identification
CIP Standards Evolution – 7 Versions in 10 years?
6
• 2010 – Version 3 –Addressing FERC directives to clarify standards and implementation plans
• 2012 – Version 4 – Added “bright line” criteria for identifying critical cyber assets (Order No. 761)
• 2013 – Version 5 – Shifted from critical cyber assets to BES Cyber Systems; added configuration change management (Order No. 791)
CIP Standards Evolution – 7 Versions in 10 years?
7
• 2015 – Physical Security and CIP-014
• 2016 – “Revisions to Version 5” – Eliminated “identify, assess, and correct” language; enhanced security controls for Low Impact assets; addressed transient devices and nonprogrammable components of communications networks
• 2017 – Supply chain risk management standard? (Order No. 829)
Enforcement of CIP Standards
8
Source: NERC Compliance Monitoring and Enforcement Program Quarterly Update, Q3 2015
Source: NERC, Key Compliance Enforcement Metrics and Trends, February 11, 2015
Physical Security
9
Physical Security?
10
“While cyberattack is the most serious threat to our electric power system and is the primary focus of this book, it is not the only threat”
Physical Security?
11
Matt Farrell: You just killed a helicopter with a car! John McClane: I was out of bullets.
- Live Free or Die Hard (2007)
Metcalf Substation California, April 16, 2013
• Coordinated attack
• Nearby fiber optic cables cut
• >100 shell casings from AK-47s
• 17 transformers damaged
• 52,000 of oil leaked
• $15 million damage
• Still under investigation
12
Metcalf Substation California, April 16, 2013
The Metcalf incident was “the most significant incident of domestic terrorism involving the grid that has ever occurred.” – “Assault on Power Grid Raises Alarms,” WSJ, February 5, 2014
13
Arkansas – August/September 2013 • Jason Woodring - acted alone
• Attempted to take down a 500 kV tower using a train
• Set fire to and destroyed an EHV switching station
• Cut down two power poles, which led to outage for approximately 9,000
• Pleaded guilty on March 2015
14
NERC and Physical Security • January 2014 – Interviews by former FERC Chair
Wellinghoff regarding Metcalf Incident
• March 7, 2014 – FERC ordered NERC to file a Physical Security Standard within 90 days
• May 23, 2014 - NERC filed proposed standard
• July 17, 2014 – FERC issued NOPR
• November 20, 2014 – FERC issued Order No. 802
• October 15, 2015 - CIP-014-1 Enforcement Date
15
CIP-014-1
R1 - Risk assessment
R2 - 3rd party verification of risk assessment
R3 - Coordination between TO and TOP
R4 - Evaluation of threats and vulnerabilities
R5 - Physical security plan
R6 - 3rd party review of evaluation and plan
16
17
Source: NERC Compliance Monitoring and Enforcement Program Quarterly Update, Q3 2015
Source: NERC, Key Compliance Enforcement Metrics and Trends, February 11, 2015
Supply Chain Risk
18
“Separately, we are concerned that changes in the bulk electric system cyber threat landscape, identified through recent malware campaigns targeting supply chain vendors, have highlighted a gap in the protections under the CIP Reliability Standards. These malware campaigns represent a new type of threat to the reliability of the bulk electric system where malicious code can infect the software of industrial control systems used by responsible entities.”
Revised Critical Infrastructure Protection Reliability Standards, 80 Fed. Reg. 43,354 (July 22, 2015), 152 FERC ¶ 61,054 (2015)
NOPR – Identified Risks • Such supply chains are complex, globally
distributed and interconnected systems that have geographically diverse routes and consist of multiple tiers of outsourcing.
• Supply chain risks may include the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices.
19
Supply Chain Risk Management - What is Really at Stake?
20
ICS-ALERT-14-176-02A – ICS focused malware campaign
• Software installers were infected with Havex Trojan
• 3 known ICS vendors
• Indicators of compromise to critical infrastructure owners and operators
Supply Chain Risk Management - What is Really at Stake?
21
ICS-ALERT-14-281-01E – Ongoing malware campaign compromising ICS
• Ongoing since 2011
• Variant of BlackEnergy malware (BE3)
• Various vendors have been targeted (GE Cimplicity, Advantech/Broadwin WebAccess and Seimens WinCC)
• 2016 Update: BE3 was present in Ukraine Attack
Supply Chain Risk Management - What is Really at Stake?
22
E-ISAC, Analysis of the Cyber Attack on Ukrainian Power Grid (March 18, 2016)
• Spear Phishing/Theft of credentials
• Used VPNs from business network to enter ICS network
• Mitigation – Procurement/licensing of trusted hardware/software; network monitoring; strategic technology refresh
• On July 21, 2016, FERC directed NERC to develop a standard within one year
• Four security objectives
o Software integrity and authenticity
o Vendor remote access
o Information system planning
o Vendor risk management and procurement controls
Order No. 829
23
Order No. 829 Objective 1: Software Integrity and Authenticity
• Verify identity of software publisher
• Verify integrity of software and patches prior to installation
• Avoid “Watering Hole” Attack
24
Order No. 829 Objective 2: Vendor Remote Access
• Logging and controlling all third-party initiated remote access sessions
• User initiated and machine-to-machine remote access
• Theft of credentials and remote persistent connections were central to Ukraine Attack
25
Order No. 829 Objective 3: Information System Planning
• Include security considerations as part of IS planning
• Document role of CIP Senior Manager
• ICS-CERT
o BlackEnergy Malware alert – “minimize network exposure for all control system devices/subsystems”
o Ukraine incident – strategic technology refreshes
26
Order No. 829 Objective 4: Vendor Risk Management and Procurement Controls
• Verification of security concepts in future contracts
o Security event notification and coordinated incident response
o Personnel termination
o Vulnerability disclosures
27
Order No. 829 - What is Really Required?
28
Software Integrity and Authenticity
CIP-007 R2 CIP-004 R3
Secure transmittal of patches Validate patch integrity
Vendor Remote Access CIP-005 R2 Machine-to-machine logging
Monitor/terminate sessions
Information System Planning
CIP-010 Procurement controls
Vendor Risk Management & Procurement Controls
Include security concepts in future contracts
Voluntary Sharing
29
ISACs OEIS CRISP ISAOs, NCCIC, CISCP, AIS
Voluntary Sharing
30
• What type of information is being shared? • Is the sharing performed manually or
automatically? • Who is responsible for screening for personally
identifiable information? • Are there liability protections for the “sharer” and
the “receiver”?
Cybersecurity Information Sharing Act of 2015, Title I of the Cybersecurity Act of 2015, which was part of Consolidated Appropriations Act of 2016, 114 Pub.L. No. 113, 129 Stat. 2242.
Section 215A of the Federal Power Act, Section 61,003 of Fixing America’s Surface Transportation Act, Pub. L. No. 114-94, 129 Stat. 1312 (December 4, 2015)
31
Emerging Issues
32
33
“The cyber attacks in Ukraine are the first publicly acknowledged incidents to result in power outages. As future attacks may occur, it is important to scope the impacts of the incident.”
Ukraine Attack
34
• December 23, 2015 3:35 P.M. local time
• Seven 110kV and twenty-three 35kV substations were disconnected for 3 hours
• Foreign attacker controlled the SCADA distribution management system
• Affected three separate “oblenergos” (energy companies), 225,000 customers
Ukraine Attack
35
Response to Ukraine Attack
DHS, ICS CERT IR-ALERT-H-16-056-01 (February 25, 2016)
36
Response to Ukraine Attack: Supply Chain Risk Management
“The first, most important step in cybersecurity is implementation of information resources management best practices. Key examples include: procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.”
37
Response to Ukraine Attack: Application Whitelisting
“Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by malicious actors. The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments.”
FERC NOI re Cyber Systems in Control Centers, 156 FERC ¶ 61,051 (July 21, 2016)
38
Response to Ukraine Attack: Isolation
“Organizations should isolate ICS networks from any untrusted networks, especially the Internet. All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (‘data diode’). If bidirectional communication is necessary, then use a single open port over a restricted network path.”
39
Beyond the Electric Industry
40
Voluntary Standards and Guidelines
41
• “This document is guidance. It does not impose mandatory requirements on any person.”
• Provides framework for:
o Corporate Security Plan
o Risk Analysis/Criticality
o Facility Security Measures
o Cyber Asset Security Measures
o National Terror Advisory System
42
https://www.tsa.gov/sites/default/files/tsapipelinesecurityguidelines-2011.pdf
• TSA has statutory authority to promulgate pipeline physical and cybersecurity regulations
• TSA believes that voluntary standards are better, and is concerned that mandatory standards will reduce security
• Pipelines have been the target of attempted attacks and terrorist threats (Al Qaeda)
• Although no cyber attacks, there have been a number of SCADA-related incidents (inc. San Bruno)
http://fas.org/sgp/crs/homesec/R42660.pdf
43
Pipelines Are Already Subject to PHSMA Facility Security Regulations
• Security for LNG Facilities - 49 C.F.R. Part 193, Subpart J
• Security for Transportation of Hazardous Liquids by Pipelines- 49 C.F.R. §195.436
44
Pipelines are Already Subject to Voluntary Sharing
45
Lessons Learned from the Electric Industry
46
47
Reactiveness
48
Scope Creep • Voluntary Standards >> Mandatory Standards >>
Voluntary Sharing
• Operational standards >> Security standards
• Cybersecurity >> Physical security
• Utility systems >> Supply chain
• ESPs and PSPs >> Isolation
49
Regulatory Uncertainty
50
Uniqueness Among Sectors
51
Familiar Process
52
Reliability & Security